Firewall: no BS answer

[Stuh505]

Everyone seems to agree that a firewall is important even for home internet users. My question is...why? I can read FAQs and get the same answer all the time, but I just use the windows default firewall which I know is "weak" and I've never had any issues.

If I don't open executable email attachments or run programs with viruses, don't open up extra ports on my computer, windows seems to keep everything pretty well locked down.

 

[Direwolf20]

If you use a router, you don't really need a firewall if you're smart about what you're doing.

Firewalls usually won't protect you from opening virus attachments, etc anyway. Sometimes it can, but not always.

However, if you don't have a router and you are connected directly to a cable modem, a firewall is very important to protect you. Is the windows one good enough? *Shrug*, not sure, I really haven't ever compared it with other products.

 

[zrac]

geo metro will get you to work just as well as a ferrari F50

it's all a question of risk management, but you are correct, windows firewall is satisfactory IF you are willing to take on higher risk, not insanely high, just higher than with a better solution. As long as you have all your data backed up, don't mind a higher chance of potential risk then feel free.

Why even have the firewall enabled? why not just keep your PC patched and not use the firewall?

Why even patch the PC? Just backup your data

or don't even backup and home for the best

 

[atomiser]

my answer is pretty straightforward...

a firewall allows some element of control over what traffic comes into my pc, and what traffic generated by my pc actually goes out onto the wire...

it's all good saying keep your pc patched, and keep your data backed up... but look at it from another perspective... what if someone got into your machine not to steal your data but to use it to attack other systems...

for me its not about just having a firewall anymore... i prefer the idea of unified threat management systems i.e. url filtering, spam filtering, virus scanning of network traffic, intrusion detection/prevention etc.

 

[Malk-a-mite]

This is for everyone.

You don't visit bad web sites.
You don't open attachments.
You don't open ports.
You don't do anything bad at all, ever.

So why would you ever want a firewall that does outbound filtering...

http://www.zdnet.com.au/news/securi..._stealing_trojan/0,130061744,339270922,00.htm
"Camissar admitted that it was possible that the hackers who compromised Samsung's servers would have been able to modify the company's Web site so visitors using a vulnerable browser would become automatically infected with the malware."

Unless you consider a website like Samsung's to be one of the bad ones.

To the OP - do you run Windows with an account that has administrator access? If yes, then it's not "locked down."

 

[t00thless]

atomiser touched on this, but its nice to have a firewall that lets you know when a program tries to go out to the 'net.

 

[Stuh505]

However, if you don't have a router and you are connected directly to a cable modem, a firewall is very important to protect you.

I have a router but right now I'm just connecting directly through my cable modem. I used the router in the past. I've had no issues either way.

it's all a question of risk management, but you are correct, windows firewall is satisfactory IF you are willing to take on higher risk, not insanely high, just higher than with a better solution. As long as you have all your data backed up, don't mind a higher chance of potential risk then feel free.

Yep, and I do backup, and if I have to reformat it's not that big a deal. However, at this point, I would like to be able to think about the risk management. That is why I am posting here. I don't understand well enough to clearly understand EXACTLY what the risks are, exactly how I COULD be attacked, and exactly what the firewall would do to attempt to protect me. Simply knowing that people will do "something" to attack, and my router will do "something" to defend does not convince me...based on that knowledge alone, I would rather leave myself vulnerable simply to find out what happened, which is my current situation. I don't want to protect myself unless I understand the mechanisms I am using.

You don't visit bad web sites.
You don't open attachments.
You don't open ports.
You don't do anything bad at all, ever.

Well I do visit bad websites. Lots of websites with viruses and trojans. But they don't seem to get me...I get no unwanted traffic, no unknown processes, no unknown cpu usage, no unknown programs or installed crap, no odd behavior. When I detect a virus or a trojan I just delete it.

What I DO do for security is disable java and popups, and scan every file I download, and don't look at email attachments.

I am not sure if it is possible for email attachments to spread by opening word documents or anything so if I'm curious I will open in an ascii or binary editor. Is there any risk from attachments that arent in the form of a script or binary?

To the OP - do you run Windows with an account that has administrator access? If yes, then it's not "locked down."

Yes, I do use admin access. I tried using a secondary account for a while but then realized it was pointless, because I install and uninstall software almost every time I am using the computer, and I can't deal with loggin in and out every 2.5 minutes.

I'm not sure why admin access matters anyway. I have a registry blocker set up, and nothings trying to install itself anyway. By "locked down," I did not mean truly...I have NO doubt that any cracker who WANTED specifically to target my machine probably could, but I do feel safe from automated anonymous stuff...I feel safe because I havent been affected.

 

[da sponge]

That is why I am posting here. I don't understand well enough to clearly understand EXACTLY what the risks are, exactly how I COULD be attacked, and exactly what the firewall would do to attempt to protect me. Simply knowing that people will do "something" to attack, and my router will do "something" to defend does not convince me...based on that knowledge alone, I would rather leave myself vulnerable simply to find out what happened, which is my current situation. I don't want to protect myself unless I understand the mechanisms I am using.

http://www.symantec.com/security_response/writeup.jsp?docid=2003-081113-0229-99

Without a firewall active, RPC is available for remote connect. Hacker finds an exploit in the service designs a self propagating worm and boom, you're infected just by having your computer on. With a firewall (software or hardware) you'd be protected as long as you haven't explicitly allowed incoming connections on that port.

Well I do visit bad websites. Lots of websites with viruses and trojans. But they don't seem to get me...I get no unwanted traffic, no unknown processes, no unknown cpu usage, no unknown programs or installed crap, no odd behavior. When I detect a virus or a trojan I just delete it.....
Yes, I do use admin access. I tried using a secondary account for a while but then realized it was pointless, because I install and uninstall software almost every time I am using the computer, and I can't deal with loggin in and out every 2.5 minutes.

I'm not sure why admin access matters anyway. I have a registry blocker set up, and nothings trying to install itself anyway. By "locked down," I did not mean truly...I have NO doubt that any cracker who WANTED specifically to target my machine probably could, but I do feel safe from automated anonymous stuff...I feel safe because I havent been affected.

Don't be so sure, with rootkits programs/drivers can be installed and actively hide themselves from most GUI applications. That means the process won't show up in task manager, when you search the registry for entries it won't be there and when you do a search on your hard drive the trojan/rootkit will be omitted from file listings. All it takes is one browser vulnerability and a well designed trojan and you're infected without even knowing. More trojans are using rootkit techniques these days. Most rootkit installs can only succeed if running as administrator (hooking dlls, installing drivers, etc). Running as a regular user preempts many of these problems.

Use runas to start installations with administrative priveleges. http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/runas.mspx

I am not sure if it is possible for email attachments to spread by opening word documents or anything so if I'm curious I will open in an ascii or binary editor. Is there any risk from attachments that arent in the form of a script or binary?

This is the exact type of vulnerability exploited by the recent (this year) malformed office documents - http://www.securityfocus.com/infocus/1874 You open a word doc with embedded code and it's excuted when you open it.
In the past Outlook/Outlook Express have been subject to e-mail worms whereby simply viewing an email launches the bad code.

 

[Xipher]

You wouldn't believe how much crap a good firewall can keep out. If you have never heard of the program srvcheck, and you run Windows XP, be happy

Even the damn BEEP service is vulnerable

 

[Stuh505]

Thank you da sponge, your response was right on target.

Without a firewall active, RPC is available for remote connect.

Not sure why you say this, because I wanted to be able to remote connect to my computer a while ago with remote desktop connection. The remote connections are disabled by default. I enabled it and changed the port number to something obscure. Strangely, that was on my laptop, on my PC with the same OS (xpsp2) the options to enable remote connections do not even seem to EXIST!

Don't be so sure, with rootkits programs/drivers can be installed and actively hide themselves from most GUI applications.

I had no idea. The only thing I'm ACTUALLY worried about is having credit card information stolen from a keylogger or bad website....I have felt consoled by assuming that I could actually know what process were running, etc. So this does have me worried and I'll have to read into this "rootkit" thing. I'll probably have some more questions regarding that coming up!

Use runas to start installations with administrative priveleges

Ok, maybe I will.

 

[da sponge]

Thank you da sponge, your response was right on target.
Not sure why you say this, because I wanted to be able to remote connect to my computer a while ago with remote desktop connection. The remote connections are disabled by default. I enabled it and changed the port number to something obscure. Strangely, that was on my laptop, on my PC with the same OS (xpsp2) the options to enable remote connections do not even seem to EXIST!

No problem. RPC != RDP. RPC is remote procedure call, not remote desktop. http://searchwebservices.techtarget.com/sDefinition/0,,sid26_gci214272,00.html http://en.wikipedia.org/wiki/Remote_procedure_call

 

[AMD[H]unter]

I will say that most people need a firewall. I personally do not use one, but I am very careful as to what I install, what I go to on the net, and everthing else you can be careful about. I have never had a problem, to be honest. I know someone will come back saying I am wrong, or either I am stupid. I keep regular backups, and every day almost I look at traffic logs, and I also check a netstat -n and -a fairly often too. I am saying that for me personally, I do not need a firewall other than my router with its SPI. I would say the same to other computer-savvy people that are as careful as I. I just don't want the hassle of a firewall, honsetly.

Without a firewall active, RPC is available for remote connect

Not sure why you say this, because I wanted to be able to remote connect to my computer a while ago with remote desktop connection. The remote connections are disabled by default. I enabled it and changed the port number to something obscure. Strangely, that was on my laptop, on my PC with the same OS (xpsp2) the options to enable remote connections do not even seem to EXIST!

RDP and RPC are two very different things. For one, on the lappy, if its XP Home, RDP is not availible. Also, RPC is (if I understand correctly) is basically what makes Windows tick; it's not the kernel per se, but if you compromise the RPC, the rest of the machine is soon to follow.

 

[Stuh505]

RDP and RPC are two very different things. For one, on the lappy, if its XP Home, RDP is not availible.

Remote procedure calls...ok, I vaguely remember something about that from OS class

No, I run XP Pro on my laptop and on my PC. RD is available on both, of course. On my laptop I was able to follow al lthe instructions to enable RD.

On my desktop, the options to enable it in incoming connections simply didn't exist...I could not follow the instructions mentioned in this Microsoft help topic:

"To grant incoming connection access rights to your computer"

 

[Stuh505]

Well after getting mildly paranoid I ran RootkitRevealer and am apparently kit-free, at least on my desktop. Also for the record I am using a firewall on this one in addition to windows -- the NVIDIA firewall.

 

[Cheetoz]

I guess you don't really NEED a firewall. I mean, I don't use a firewall with my ubuntu computer.

 

[WarMace]

I dont know if this was allready touched as i skimmed the thread, but a Router will keep out everything i dont want trying to get in from the internet, but you still need a firewall running on your local machine incase another PC within your LAN gets infected.

 

[metallicafan]

Don't be so sure, with rootkits programs/drivers can be installed and actively hide themselves from most GUI applications. That means the process won't show up in task manager, when you search the registry for entries it won't be there and when you do a search on your hard drive the trojan/rootkit will be omitted from file listings. All it takes is one browser vulnerability and a well designed trojan and you're infected without even knowing.

Exactly.
Just because you havent experienced any problems in no way means that you havent been hacked and that your data hasnt been comprimised. Just remember that. No one can be totally secure short of unplugging your internet cable and locking your computer in a safe. However a firewall with as few open ports as possible is a good start to becoming more secure. People today who do not use at least the default Windows Firewall are just asking for trouble.